Last updated on August 23rd, 2022 at 05:42 pm
Every couple of months I get an email asking me if there is any reason why e-stop functions can’t be used as the primary power control (on/off button) for machinery. Following a recent exchange, I thought I would share the reasons for why this is such a bad idea.
The short answer
The short answer is an unequivocal NO. Don’t do it as it is very likely to end in tears.
The long answer
First, I’m going to take you back to the definition of emergency stop found in ISO 13850 [1]:
As you can see, there is nothing in definition of an emergency stop function that relates to using it as the on/off power switch for the machinery.
There are many reasons to not misuse the emergency stop function including:
- The emergency stop function is intended for use in emergency conditions. Using it for every day on/off functions makes a psychological difference in how operators perceive the estop function/device. Consider that one of the design goals for controls engineers is to bring the machinery to a stop as quickly as possible, ideally without damage, but breaking the machine is not out of the question. If operators get used to using the estop button casually, this use can be subtly or overtly damaging the machine every time the button is pressed. This is clearly poor practice at best.
- The standards that include information on the emergency stop function (ISO 13850 [1], IEC 60204-1 [2], NFPA 79 [3], CSA C22.2 #301 [4]) don’t address the “proper use” of the emergency stop function. The electrical design standards only deal with the way all stop functions (cycle stop, on/off, emergency stop, etc.) are expected to operate by defining the stop function categories, while ISO 13850 focuses exclusively on HOW the emergency stop function is required to operate. Only functional safety standards (for machinery: ISO 13849 [5] and IEC 62061 [6]) address the effects of wear on these systems.
- ISO 13850 requires that the emergency stop functions operate with at least PLc reliability (a maximum failure rate of 2.77 ? 10-6 failures/hour [5, Annex K]). Power contactors, brakes, valves, and other control components have an operational life usually given in operating cycles. In some cases, there may be two different operating lifetimes to account for, i.e., a mechanical lifetime and an electrical lifetime. ISO 13849-1 Annex C provides the means to take the rated lifetime (called B10) and convert it to the lifetime in which 10% of the component population will have failed dangerously (B10D), and then to take that number and determine the functional lifetime of the component in the specific application (T10D). This number is compared against the mission time, which is set to 20 years in ISO 13849-1. Long story short: If you have a contactor with a 5000 cycle lifetime (this is an actual lifetime taken from a large power contactor. Your mileage may vary), and as a designer you determine that that contactor has a long enough T10D to not need replacement in the 20 year mission time based on your assumptions about how often the e-stop will be used, and your user starts using that button at a much higher rate than you anticipated then that contactor is going to wear out long before expected. If the emergency stop function is realized using a single-channel architecture (ISO 13849-1 Category 1 or 2, both of which can achieve PLc), then a single component failure can lead to the loss of safety function WITHOUT WARNING. So, at the moment that your operator REALLY NEEDS that emergency stop to function, it’s already failed and no one was the wiser. Now you’ve got a dead or severely injured worker, and/or a destroyed machine and lost production on your hands. If you need to know more about these calculations, see my series “How to Do an ISO 13849-1 Analysis.”
Some readers have conflated the logic related to stop categories and the emergency stop function. In a recent email, a reader indicated that by their logic, “…if a Category 0 or 1 Stop can be used as an E-Stop, then an E-Stop can be used as a Stop.” This is getting the logic completely backward and if followed is likely to end in tears.
Stop Categories
The stop categories (they originated in IEC 60204-1, but were brought into NFPA 79 and CSA C22.2 #301 from that source) describe how ANY stop function can operate [2]:
The emergency stop function
Reading on in IEC 60204-1 to the section describing emergency stop:
ISO 13850 [7, Fig. 1], illustrates how this function is expected to operate.
Referring back to [1], we get this guidance on the design of the emergency stop function:
Conclusions
The second paragraph of [2, 9.2.5.4.2] is telling the designer that the emergency stop function has to either cut power immediately or cut power after allowing a brief period for a graceful stop to occur. Category 0 stop will often result in coasting of the machinery if there is sufficient inertia, so Cat. 1 stops are much more commonly used. The big difference is in how a Cat. 1 used for e-stop is designed, and how a Cat.1 cycle stop function is designed; primarily TIME. In the emergency stop case, the braking or stopping time must be as short as possible, usually just short of breaking the machinery due to the stopping stresses. In a Cat. 1 cycle stop, the time delay will be long enough for the tooling to get to the starting point for the next machine cycle. So in the first case, the time frame might be 100 ms, while in the second case, the time frame might be 5 s. These are completely different scenarios.
As you can see, conflating the Emergency Stop Function and the Stop Function Categories is a major error.
As always, I look forward to your comments and questions!
References
[1] Safety of machinery — Emergency stop — Principles for design, ISO 13850. 2006.
[2] Electrical Equipment of Industrial Machines, IEC 60204-1. 2006.
[3] Electrical Standard for Industrial Machinery, NFPA 79. 2015.
[4] Industrial electrical machinery, CSA C22.2 No. 301. 2016.
[5] Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design, ISO 13849-1. 2015.
[6] Safety of machinery — Functional safety of safety-related electrical, electronic and programmable electronic control systems, IEC 62061. 2005.
[7] Safety of machinery — Emergency stop — Principles for design, ISO 13850. 1996.
© 2019 – 2022, Compliance inSight Consulting Inc. 
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
I work for a company that is asking all employees that use a scissor lift to put the scissor lift in there work area, when that employee goes up in the scissor lift and begins working they are to hit the emergency stop button every time. So one said employee could hit that button 100 times a day. Thoughts on this?
Hi Bentley,
This is a question I can’t specifically answer without a bunch of additional information about the design and construction of the e-stop on the lift(s) you use. However, I will say a few things.
Having said all that, you need to follow your employer’s training and instructions for using the equipment; otherwise, you could be in for significant problems with your job. Failure to follow safety instructions can be a firing offence in some companies, and I do not want you to lose your job, nor do I want you to get hurt doing the work. Talk to your employer about your concerns. Document the conversations so that you have a record of who you spoke with, when (date, time, face-to-face, on the phone, via email, etc.) you spoke to them, and a summary of the conversation. Keep your notes somewhere safe and in a way that you can easily find them. That way, if something goes wrong, you have notes you took at the time. If the conversations happen via text or email, ensure you preserve them in case you need them in the future.
Can I connect my emergency stop in series with stop and start button for a motor starting? If yes, can i remove the stop button and use the emergency stop as stop to save cost? Some customer requires emergency stop even in simple direct online motor start application.
In principle yes, however, to be compliant with ISO 13850 the system must provide at least PL = c performance. This can be achieved using a Category 1 structure with high MTTFD components or with a Category 2 structure with medium MTTFD components and diagnostic coverage (DC) of at least 65%. The approach that you are suggesting can work, however, when you do the lifetime portion of the reliability calculation you will probably find that using the emergency stop device/system as part of your primary on/off motor control will result in an unacceptably short lifetime. You will need to do the ISO 13849-1 analysis carefully to see if you can achieve the component life you need, along with meeting the PL = c requirement. Be careful, and don’t make this decision without doing the analysis.
Is it required to have an E-Stop button connected to a alarm or buzzer?
Hi Don,
No. There is no requirement in ISO 13850 for this. Some National Standards, depending on your locale, and some type C (machine-specific) standards may include this as a requirement, but as a general statement buzzers and alarms are not required for machinery. Some process applications may require an alarm, however, I can’t really comment on that as I don’t do any work in process applications.